Pages

Tuesday, 8 October 2013

Another 'piece of art' work by some actor learning how to 'copy/paste' code. There is nothing wrong with copy/paste as long as you understand what the code does. Judging by the amount of unused code that even includes 'System.out.println' statements, seems the author was afraid to change and accidentally break it. This in turn helped to narrow down a potential region where the Java code is coming from. This is also another example of Java malware that is not using any exploit code, but targeting users with administrator privileges on their machines. I'll tag it 'Java Malware' as it doesn't fit the definition of an exploit kit. The real danger of this type of malware is stealthiness - as long as the payload it delivers is not being detected by AV(and it's quite easily achievable).

"Toto, I've a feeling we're not in Kansas anymore."

The URL pattern for this sample is short and simple.

The landing page doesn't have any sophisticated parts either, but at least there are simple checks for Java presence and OS type performed before pulling down Java JAR file.

checking for Java Web Start or JNLP support in the browser

Even though the checks above are performed, JNLP technology is not utilized to deliver the JAR file. These checks simply identify if Java RE is present. Returned 'boolean' value steers the execution and if found to be 'false' will stop the script execution and exit. If Java is found the following condition is checked next.

OS type check and JAR request through 'document.write'

This Java Malware targets Windows machines only. Even if Java is present the script execution will stop if no Windows OS is found. The detection is based on browser's 'User-Agent' value.

"This one time, at band camp..."

As mentioned earlier, there is no exploit code in the JAR file. The execution starts with creating a simple folder structure on drive 'C'.

call for 'docmdsyn' to create two folders

'docmdsyn' function calls 'cmd.exe' to run the commands

Regardless of the outcome of running the two commands, the execution will continue with a request for the Initial Payload using hardcoded URL and a 'borrowed' Java code.

hardcoded URL & 'downloadFile' function call

'downloadFile' function

Thinking that 'this url is error' sounds like rather strange English, I did a search for 'System.out.println("this url is error");' expression and noticed that most of the search results are pointing at Chinese websites. From what I can figure out using Google Translate, the websites are forums/boards used by Java developers to exchange knowledge and share different code samples for different purposes. The code samples there are almost 100% matching the function in the screenshot above.

The Initial Payload is XORed with a single value key - '0x12'. The encoded version of the payload will be stored in 'c:\users\public\svchost.cab' and passed to a function do decode it.

part of 'xorEn' function code

There are tons of unused code and the declaration of 'XOR_CONST' variable is just a small example of it. Hoping to find something interesting, did another search using just a part of the declaration statement - 'public static final byte XOR_CONST' . Surprisingly, the search result page contained links pointing at the same Chinese websites with Java code samples that match quite closely the code in the screenshot above even including the 'xor' key value. So, if not the author's location, at least some parts of the source code seem to be specific to one particular geographical region.

Once the Initial Payload is decoded, it'll be stored in 'c:\users\public\svchost.exe' and executed using the same 'docmdsyn' function. It's not all though. There is a small bonus in the form of some registry changes and a clean up operation.

Windows Terminal Services changes

Number of commands will be executed to enable Windows Terminal Services and delete the encoded Initial Payload. One of the registry key changes enables spawning 'Windows Command Prompt' at the login screen by hitting a key on the keyboard a few types - also known as 'sticky keys' vulnerability.

Monday, 7 October 2013

I'm not sure if definition 'exploit kit' is actually applicable here. Yes, there is an exploit code copied from PSA(Packet Storm Advisory) for 'CVE-2013-2465', but I'd expect more code around it before calling it a 'kit' and I can't imagine there is a server side code exist. There is no any sort of environment validation: plugins and their version identification, initial payload encryption, data encoding, code obfuscation. Base64 encoding is used just once to 'hide' a single string. So, another 'interesting' work.

"Landing page"

URL pattern is short and simple.

The landing page is also short and simple.

The parameter name is the first hint to the possible origins of this Java exploit. 'kurban' translated from Turkish means 'victim'. The value held by this parameter is the Initial Payload location.

"JAR file"

JAR file is 'packed' with goodies. The execution begins with an attempt to exploit 'CVE-2013-2465' vulnerability.

part of PSA exploit code for CVE-2013-2465

Just before diving into screwing 'storeImageArray()' function, a single call for 'base64coder' is made to decode a single and the only encoded string.

The author was rushing because mum just called him/her for dinner and didn't bother cleaning up someone's 'base64coder' code that might have been copied from 'source-code.biz'. All encoding methods were left in even though are not used.

A few more hints pointing at the origins or one of the languages the author is speaking.

Google translated from Turkish: 'dosyayazdirici' - printing a file, 'baglantiaç' - open link, 'bayt' - byte. The screenshot above is a part of the code that fetches the initial payload via URL passed from the landing page. Once it's downloaded, it'll be stored in the default temporary-file directory with hardcoded filename - 'thefire.exe'.

The link to the initial payload was dead by the time the capture was performed. Judging by the filename - 'install_flash_player.exe', it could have been 'ZeroAccess'.

One rather odd thing is the name for the method performing the exploit - 'uganda'. Maybe the author's favourite country or maybe the target, who knows.